My apologies to John Gilmore for tweaking his famous 1993 quote about censorship. But the above statement just happens to sum up the alternatives Windows users are adopting ever since Microsoft’s “Windows Genuine Advantage” (WGA) debacle.

It was only a few weeks ago when the Redmond software giant started quietly auto-installing WGA to Windows machines in the U.S., U.K., and a few other countries. The code, which qualifies as spyware under any objective definition, was programmed to contact Microsoft’s servers every 24 hours. Now, after hearing from plenty of outraged customers, the company back-pedaled on June 27, saying it would release a version that calls home less often.

That’s not really a solution, as I’ll explain below. Since that’s the case, the entire affair has given enormous momentum to third-party products that render Microsoft’s Windows Update routine completely unnecessary.

I’ll explain in today’s article exactly how you can best deal with WGA. For those in a hurry, here’s a 4-point elevator summary:

When Microsoft first announced Windows Live OneCare, I figured Redmond had a lot of cojones to charge consumers for protection against flaws in its own products.

In OneCare’s first month, however, it appears to my jaundiced eye that MS has responded admirably to two real, in-the-wild, zero-day attacks — first in Word, then in Excel — via a little-known free service called the Windows Live Safety Center. Never heard of it? Read on.

What is Windows Live OneCare? "Help get confidence and peace of mind with round-the-clock protection and maintenance—virus scanning, firewalls, tune ups, file backups, the whole nine yards." That’s what Live OneCare’s marketeers say. Yes, I know that Windows XP SP2 has a firewall, of sorts, and that entire industries support firewalls, virus scanning, tune-ups and backups with packages that range from utterly free to very expensive. Not sure where you can buy a whole nine yards, or even half of one, but I’ll leave that to the philosophers.

Microsoft charges $49.95 USD for one year of OneCare, and that fee can cover up to three computers. Compared to more expensive antivirus programs, it’s a deal. Compared to highly capable free packages, well… you do the math.

What Windows Live OneCare offers that no other company can offer is the name. M-i-c-r-o-s-o-f-t. Face it. Microsoft built the products that need protection. They have, by far, the largest reporting and support organization for those products. If something goes bump in the night, Microsoft can call out a whole army of programmers who know the terrain and have the resources — even the source code — to find and fix the problem.

When you pay for Windows Live OneCare, you’re paying for that expertise. Cavorting on a tilted playing fieldHere’s the rub. Many people who discover real, new malware (viruses, Trojans, worms and the like) send a report to the manufacturer of their favorite antivirus program. Many people go straight to Microsoft. Industry insiders tell me that Microsoft has been "pretty good" about disseminating new information to its competitors, the traditional antivirus software vendors. But there’s no doubt in anyone’s mind that Microsoft has the big guns — the people and the tools necessary to pinpoint the cause of the problem.

Before Windows Live OneCare, Microsoft disseminated critical information about new problems to all the major antivirus software vendors more-or-less simultaneously. Now that Microsoft peddles its own antivirus product, the playing field’s no longer level. This month’s Word zero-day exploit Although details remain sketchy, it appears that Shih-hao Weng at the Information & Communication Security Technology Center in Taipei discovered a Word document that uses SmartTags in a malicious way that had never been seen before — a zero-day exploit. He contacted Microsoft, as you might expect. Sporadic reports about the exploit spread like wildfire around the Net. Several days later, Microsoft officially confirmed the existence of a "memory corruption error when handling Word documents using a malformed object pointer."

There are a lot of ways your machines can be attacked. Not all of them are via the Internet.

Some attack vectors require physical access, but many others can hit you without notice when you do something as simple as accessing an external device.

Take a moment to shut down autoplay I received feedback from a reader named Bob, who said he enjoyed my June 15 article on potential problems with the new “U3” USB keys. He indicates that he typically disables autoplay entirely, since it’s not a big deal to manually run an inserted CD. Excellent point. This should eliminate the possibility that U3 drives, which can emulate CDs, will run code automatically.

I was remiss in pointing out an autoplay threat without in the same column covering how to disable autoplay. Mea culpa.

In Windows NT-based systems, run regedit.exe. Navigate to HKLMSYSTEMCurrentControlSetServicesCdrom. Find the DWORD value named AutoRun. Change it from 1 to 0.

What if you have a Windows 9x-based system? How do you disable autorun there? As my fellow columnist, Susan Bradley, pointed out in her June 15 column, it’s time to give up on Win 9x.

The last few weeks haven’t been good for Microsoft Excel. Three serious vulnerabilities affecting the popular spreadsheet program have been revealed. Two of these are already being actively exploited in the wild.

This is a serious concern, as there currently isn’t a patch for any of the three holes. But I’ll arm you with workarounds that should keep hackers from storming your computer.

Excel’s ‘repair mode’ can be exploited All versions of Excel from 2000 to 2003 (including Excel Viewer 2003) are vulnerable to a memory corruption problem in the “repair mode” feature. This function fixes corrupted documents. To exploit the vulnerability, a hacker would have to get a user to open a specially crafted Excel file. The file could be sent as an e-mail attachment or hosted on a Web site where a visitor could access it. Social-engineering techniques, which have worked in the past, could be used to accomplish this.

A hacker who was able to exploit this vulnerability could get the same user rights as the local user, allowing the introduction of infected files. The problem was discovered as a zero-day exploit and is already being used in the wild in targeted attacks to install infected software. One example of that is explained in Symantec’s description of Trojan.Mdropper.J.

Microsoft is aware of the flaw and has confirmed the vulnerability in Microsoft security advisory 921365. In that document and in the Microsoft Security Response Center blog, Microsoft states that it is working on a patch, but a time frame on its release is unknown.

What to do: Microsoft’s advisory on this flaw lists several workarounds for this issue. Most of them are for the more advanced user and involve modifying the Registry. The workarounds that Microsoft recommends are extreme and could very well corrupt your installation of Excel, if not done properly.

Windows Live Safety Center, which Woody Leonhard explains above, does catch Excel files that are infected with the repair-mode hack.

It may be easier for you to use Open Office’s Calc while you’re waiting for this vulnerability to be fixed. Also, always remember to never open any e-mail attachment from any source unless you’re expecting it. Unanticipated attachments should be treated as infected until you confirm them offline with the sender.

The flaw is a boundary error in hlink.dll when processing hyperlinks in, for example, Excel documents. If a hacker can trick a user into clicking a link in an infected Excel document, a stack-based buffer overflow allows the hacker to run infected code.

With the June patches being so numerous this month, even some folks who ordinarily patch quickly are just now getting around to patching.

But with proof-of-concept code and live exploits already on the Net for many of the flaws announced on June 13, if you haven’t yet updated, now’s the time to test and patch.

MS06-025 (911280) Scripted dial-up fails after MS patch Most of us no longer use command-line dial-up scripts to configure 56K modems. If you do, however, you may need to check out KB 911280. This document has recently been updated to describe conflicts between MS06-025, which was released on June 13, and dial-up scripting. Microsoft says it plans to release a revised verison of MS06-025 at some unspecified future date.

I’ve applied MS06-025 to several servers with no issues whatever. If a conflict applies to you, though, your dial-up connections can be completely halted.

Installing MS06-025 is particularly important if you’re using Windows 2000 and Internet connection sharing. Several exploit examples and POC code samples have already been posted on the Internet to exploit the flaw that MS06-025 fixes.

Microsoft re-released MS06-025 on June 27, and it’s now compatible with dial-up scripts. You’ll want to reinstall the patch if you were bitten by the problem. Read the Microsoft Security Response Center’s

The Windows Secrets Newsletter is published weekly on the 1st through 4th Thursdays of each month, plus occasional news updates. We skip an issue on the 5th Thursday of any month, the week of Thanksgiving, and the last two weeks of August and December. Windows Secrets is a continuation of four merged publications: Brian's Buzz on Windows and Woody's Windows Watch in 2004, the LangaList in 2006, and the Support Alert Newsletter in 2008.

Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by
Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, Support Alert, LangaList, LangaList Plus, WinFind, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of WindowsSecrets.com. All other marks are the trademarks or service marks of their respective owners.HOW TO SUBSCRIBE: Anyone may subscribe to this newsletter by visiting our
free signup page.

HOW TO UNSUBSCRIBE: To unsubscribe
from the Windows Secrets Newsletter,

Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, WinFind, Windows Gizmos, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of iNET Interactive. All other marks are the trademarks or service marks of their respective owners.